CND Theft Exposed
Dade Pendwyn
Canadian Conduit - Presidential Address #5
I said the eye was watching. I wasn't kidding...
The Executive and CSIS both conducted independent investigations of the theft, and we have both arrived at the same conclusion despite not sharing information until now. This article represents the work of the Executive - you can expect a report from the CSIS soon.
***Important Information - Please Read***
1) www.ecanada.cc is the new location of the forums - they are the exact same forums, just a different address.
2) Proof (which will be outlined in this article) has shown 1ronman is the CND infiltrator.
3) In light of this abuse of database privelege, as well as this atrocious theft, 1ronman is being removed from forum and irc admin.
4) Since 1ronman owns the ecanada.ws domain name, the forums will be moved to ecanada.cc (don't worry, all the forums remain - 1ronman owned the domain only, not the server).
5) All government organizations are secure.
http://i47.tinypic.com/2meqsg3.gif" />
It is with great sadness that I announce that a prominent eCanadian, and somebody I have considered a longtime friend (despite minor bumps in the road), is the Canadian National Defense thief. The CND password was the only one passed over the forums, and upon thorough investigation of the forum server log (which we were given access to by the owner of the server) we can prove the 1ronman snuck into the database and viewed the PM containing the CND password; just hours later, the CND was compromised. Everything can be proven with logs and screenshots.
http://i47.tinypic.com/2meqsg3.gif" />
TL
😉R Version of Evidence Implicating 1ronman
Server Evidence
1) On June 11th at 1
😇7am, -0700, 1ronman goes into the forum database and views the message "NEW CND PASSWORD", msg_id 26347, which was sent by Chucky Norris to Dade Pendwyn, and contained the password to the Canadian National Defense organization.
2) Hours later the Canadian National Defense organization began sending out PM's pretending to be Chucky Norris asking for the passwords to Supply Branches of the CAF. Later messages were sent from the CND asking for money that had been recently dispursed from the CND to be returned. The thief was trying to get as much funding into the org as possible before making the theft.
3) Not long after these messages were sent out, the thief likely realized he could not wait any longer for funds to return in case Supply Officers saw through his fake messages. On June 12th he donated the funds to Robotic Constructions, as well as sold himself the company containing some of the CAF's Q1 Weapon stockpile.
4) Knowing that the Canadian National Defense password was the only one to be passed via forum PM, Dade Pendwyn contacts NeoIce, owner of the forum server, to see if there was any record of who accessed the message in question. After discovering that 1ronman accessed the CND password message in the database just prior to the CND becoming compromised, he decided to set up a "sting" message to be doubly certain that the thief is 1ronman.
5) On June 14th at 12:00 PST, Dade has Minister of Finance SirDeLaShaunRon Smith send a forum PM to Dade containing a fake new password to the Revenue Canada organization. At around 14:00 PST, in a private conversation, Dade informs 1ronman he believes a hacked erep account was the reason for the compromise, and that from now on he would only send passwords on the forums. 1ronman agreed. Dade pointed out that trying to get passwords from ministers was like pulling teeth, and so far he had only managed to get a new one for Revenue Canada. At 15:35 PST 1ronman logged into the database and viewed the message containing the fake Revenue Canada password. He was the only person aside from Dade and Shaun (neither of whom have database access - 1ronman was the only one besides the server owner who did) who knew about the message. This was the "sting" message, and 1ronman bit.
Possible Motives
For those of you who question why 1ronman would do something like this, as we all first did, consider the these motives.
1) 1ronman informed me prior to his announcement that he greatly wishes to become the first V2 President of eCanada, which he anticipates will be coming in July. Creating a scandal in the current administration means it's a lot less likely that there would be competition from the current CP in the upcoming elections.
2) He told me in a private conversation (which I can not post here as it is against eRepublik rules) that he wanted more money for V2 - this was his motivation for buying bonds in such a large quantity.
3) His organization listed on ERX has reported losses, which means either that his companies are losing money or that he's lying about the losses to avoid paying dividends - either way, it makes a theft of this sort feasible.
http://i47.tinypic.com/2meqsg3.gif" />
The following is the server log evidence, as explained by NeoIce - 1ronman's ip address has been censored in this version of the article.
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Ironman logs into the server with a cryptographic key. These are more secure than passwords and are a hold over from when eCanada was originally hosted on my personal web server, thule.neoice.net. in theory, this crypto key also has a password associated with it, making it extremely hard to steal someone's login credentials. the following messages are from the `auth.log` on "collective", the webserver that currently hosts eCanada.
auth.log:Jun 14 15:29:26 collective sshd[4738]: Accepted publickey for ecanada from 70.72.xxx.xxx port yyyyy ssh2
auth.log:Jun 14 18:39:42 collective sshd[13834]: Accepted publickey for ecanada from 70.72.xxx.xxx port yyyyy ssh2
http://img13.imageshack.us/img13/9520/logincensored.jpg" />
This establishes that this IP address (70.72.xxx.xxx) belongs to Ironman.
All URL requests at eCanada are logged. These messages contain a ton of information. first and foremost, we have the requesting IP address and a timestamp. all times are in PST, which is noted by the "-700", meaning -7 hours from UTC. Next, we have the requested URL. If you're observant, you may have noticed many URL's contain things like "post_id=blah". These are variables which can be encoded within URLS and then processed by the server. Some variables, like "token" or "session_id" are basically junk, but some variables like "msg_id" are very important in determining the content of the page viewed. After the request URL, we have the "return code" and "referring URL". The return code is just a flag to say "this request worked" or "this request failed for this reason." Many people are familiar with "error 404"; those get logged. The "referring url" is the page that the user clicked through from (if any). The last bit of information in the log entry is the "user-agent". This is information on the operating system and web browser used to make the request. This is also unimportant.
Here we see a raw entry in the eCanada.ws access_log. We will break it up according to the classification above.
70.72.xxx.xxx - - [14/Jun/2010:15:35:00 -0700] "GET /phpmyadmin/tbl_change.php?db=ecanada&table=phpbb_privmsgs&token=6528bb5fd37b62d3e50edd684df76fe9&primary_key
=+%60phpbb_privmsgs%60.%
60msg_id%60+%3D+27187&sql_query=SELE CT+%2A+FROM+%60phpbb_privmsgs%60++
ORDER+BY+%60phpbb_privmsgs%60.%60msg_id%60++DESC&goto=sql.php HTTP/1.1" 200 5685 "http://ecanada.ws/phpmyadmin/sql.php?db=ecanada&table=phpbb_privmsgs&token=6528bb5fd37b62d3e50edd684df76fe9&sql_query=
SELECT+%2A+FROM+
%60phpbb_privmsgs%60++ORDER+BY+%60phpbb_ privmsgs%60.%60msg_id%60++DESC" "Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US; rv:1.9.2.3) Gecko/20100401 Firefox/3.6.3 (.NET CLR 3.5.30729)"
IP address: 70.72.xxx.xxx
Date: [14/Jun/2010:15:35:00 -0700]
Requested URL: "GET /phpmyadmin/tbl_change.php?db=ecanada&table=phpbb_privmsgs&token=6528bb5fd37b62d3e50edd684df76fe9&primary_key
=+%60phpbb_privmsgs%60.%60msg_id%60+%3D+ 27187
&sql_query=SELECT+%2A+FROM+%60phpbb_ privmsgs%60++ORDER+BY+%60
phpbb_privmsgs%60.%60msg_id%60++DESC&goto=sql.php HTTP/1.1"
Return Code: 200 5685
Referral URL: "http://ecanada.ws/phpmyadmin/sql.php?db=ecanada&table=phpbb_privmsgs&token=6528bb5fd37b62d3e50edd684df76fe9&sql_query
=SELECT+%2A+FROM+%60phpbb_privmsgs%60
++ORDER+BY+%60phpbb_privmsgs%60.%60msg_i d%60++DESC"
User-Agent: "Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US; rv:1.9.2.3) Gecko/20100401 Firefox/3.6.3 (.NET CLR 3.5.30729)"
So, now that we know how to analyze an access log, lets start by just stripping off the junk, which conveniently, is most of the end.
70.72.xxx.xxx - - [14/Jun/2010:15:35:00 -0700] "GET /phpmyadmin/tbl_change.php?db=ecanada&table=phpbb_privmsgs&token=
6528bb5fd37b62d3e50edd684df76fe9&pri mary_key=
+%60phpbb_privmsgs%60.%60msg_id%60+%3D+2 7187&sql_query=SELECT+%2A+FROM+%60ph pbb_privmsgs%60++ORDER+BY+%60phpbb_privm sgs%60.%60msg_id%60
++DESC&goto=sql.php HTTP/1.1"
Now we have just the IP, date and request. We can trim the request a bit too, since "token" is garbage and isnt important either. "HTTP/1.1" is just telling us what kind of request it was, so we'll chuck that out too.
70.72.xxx.xxx - - [14/Jun/2010:15:35:00 -0700] "GET /phpmyadmin/tbl_change.php?db=ecanada&table=phpbb_privmsgs&primary_key=+%60phpbb_privmsgs%60.
%60msg_id%60+%3D+27187&sql_query=SEL ECT+%2A+
FROM+%60phpbb_privmsgs%60++ORDER+BY+%60p hpbb_privmsgs%60.%60
msg_id%60++DESC&goto=sql.php"
If you know anything about programming databases, a "primary key" is generally the piece of information that uniquely identifies an item. if you have a table of users, it's very likely that they will have a "primary key" of their user ID number. since we know we're looking at messages, we can assume that the primary key is the message. The "sql_query" doesnt contain any useful information, but it does look like the kind of SQL query someone (or some software) would make if they were browsing phpbb_privmsgs.
70.72.xxx.xxx - - [14/Jun/2010:15:35:00 -0700] "GET /phpmyadmin/tbl_change.php?db=ecanada&table=phpbb_privmsgs&primary_key=+%60phpbb_privmsgs
%60.%60msg_id%60+%3D+27187
This is really the meat of the request. URLs convert certain characters for safety reasons in the format %##. %20 is the most common, referring to a space. For readability, let's clean this up really quickly. (reference
😛http://www.december.com/html/spec/esccodes.html)
70.72.xxx.xxx - - [14/Jun/2010:15:35:00 -0700] "GET /phpmyadmin/tbl_change.php?db=ecanada&table=phpbb_privmsgs&primary_key=+`phpbb_privmsgs`.`msg_id`+=+27187
I havent covered the most basic parts yet! phpMyAdmin is a web-based control panel for MySQL databases like the one eCanada runs on. "tbl_change.php" is a page that opens a single object for viewing/editing. everything after the question mark is information tbl_change.php uses to determine what object its opening. Here we see it looked in database "ecanada", table "phpbb_privmsgs" and msg_id "27187". This message is the sting message which was set up with the fake password.
http://img638.imageshack.us/img638/3213/june14censored.jpg" />
ecanada.ws_access_log.1:70.72.xxx.xxx - - [11/Jun/2010:1
😇7:34 -0700] "GET /phpmyadmin/tbl_change.php?db=ecanada&table=phpbb_privmsgs&token=7974c6448e7c7bfc3ea422714e465d5a&primary_key=+%60phpbb_privmsgs%60.%60msg_id%60+%3D+26347&sql_query=SELECT+%2A+
FROM+%60phpbb_privmsgs%60++ORDER+BY+%60p hpbb_privmsgs%60.%60msg_id%60++
DESC&goto=sql.php HTTP/1.1" 200 5567 "http://ecanada.ws/phpmyadmin/sql.php"
"Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US; rv:1.9.2.3) Gecko/20100401
Firefox/3.6.3 (.NET CLR 3.5.30729)"
Here we see the raw log entry for someone viewing message 26347. Lets clean it up quickly.
70.72.xxx.xxx - - [11/Jun/2010:1
😇7:34 -0700] "GET /phpmyadmin/tbl_change.php?db=ecanada&table=phpbb_privmsgs&primary_key=`phpbb_privmsgs`.`msg_id`+=+26347
http://img121.imageshack.us/img121/5740/june11thcensored.jpg" />
This msg_id corresponds to the password for Canadian National Defense. It was viewed just before the account started sending out the messages trying to get more money into the org for theft.
Ironman viewed the password for CND message shortly before the attack on CND took place. a subsequent sting operation by the Prime Minister confirmed Ironman's interest in messages regarding passwords for the executive branch. It is reasonable to conclude that Ironman used his access to gain access to the CND account and commence the publicly known attack.
All of the raw logs used in this investigation are available upon request, due to their large filesize and potential to contain "sensitive" information.
NeoIce
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
***All screenshots, server logs, and conversations are posted with the permission of NeoIce***
The new forums will be at ecanada.cc - please bookmark this. No old information from the forums should be lost, but players who have been inactive may be cleaned up, and NeoIce, is a neutral third party, will now be the new root admin.
Thank you eCanada for your patience in this investigation. It feels very liberating to have discovered who is responsible, even though it was a longtime eCanadian and somebody I had thought I could trust. Nonetheless, I'm glad the truth has come out.
Let's all hope the admins see the light and return the guns and CAD 1ronman has taken and give it back to the eCanadian people.
http://img217.imageshack.us/img217/3982/dadependwyn.jpg">
Comments
Bare with me while I fix all the wonky links and images.
There is an old saying...
"The truth shall set you free"
Thank you Dade for keeping your word to vigorously chase this issue and bring resolution. As sad as the result is, at least we now have closure on the matter.
wow... never thought i'd see the day
Wow...
Great work... That really is a shame.
Let Justice Rain.
Wow 1ronman and Ironman are supposed to be rich
Too many people blindly trust those whom have worked they're way to the top, assume no wrong has been done even when the proof is being slapped in they're face...
I hope this can serve as an eye opening moment for all those in Canada who have been blind to the truth.
1ronman can't haz CP
1ronman can has JB?
~fkuu~
My statement at this time: IP and Login are not complete 100% proof. I will work to prove my innocence of course I cannot guarantee anything. For the record, someone else in my household does play eRepublik, and this will be where my main investigation begins.
Bastard. Good job with the investigation, Dade, Shaun, and NeoIce.
I trust that if this is the work of somebody in your household, 1ronman, that you will promptly rectify everything and return all funds.
I didn't give 1ronman enough credit. I'm proud of him.
Great work, Dade and CSIS ~~
damn, i didnt see that one coming.
great work on this though dade. glad to see we've actually caught a theft for once!
good leadership, my friend
Ban the Bastard!
1ronman: While you are correct, the IP only identifies a household(either a single computer or firewall in front of multiple computers), any individual in your household would also have to have *your* passwords to access the DB. Either way it goes, you are in some way to blame and trust has been broken.
So it turns out to be another protest against our ineffective government. whew.
Good work with the investigation! I'm just terribly dissapointed.
Artorius Perim
Wow, what an amazing investigation. Ironclad!
o7 Dade
What a disappointment.
Thanks for your persistence, Dade.
We're all disappointed, Art.
gj dade, great work.
Hah, good on you Dade
I had suspected that the password might have been sent over the forum and I know on some forums admins can indeed read PM's...
Luckily that sort of information is also recorded
Good work Dade.
Thank you Bruck
Dade, your government has finally impressed me.
cheers,
Scotty
🙂
What scum.
Also, have I told you how much I love you, Dade?
Good work, and all hail the all-seeing eye!
I hate to say I told you so............BUT I TOLD YOU SO
while the evidence seems to be conclusive, 1ronman should still be allowed to present his case and lets not forget that he is guaranteed his rights to a fair trail.
This is an interesting development.
Good work Dade, and everyone involved. The evidence is very strong and i applaud your investigation and swift move of the forums.
Wow. Did not see that comming.
We found one of the bad guys ! good investgation !
Thank you for this Dade
There goes ironman's presidential bid!!! LOL
That just proofs that we voted for the right man!! Good work! Keep it up!
To 1ronman:
This is a bit to much and not acceptable! If it wasn't you i suggest you clarify this within the next 24 hours! As indicated by the honourable PM you should immediately retrun what was taken from your fellow eCanadian!
To Chief Justice:
I strongly recommend to take appropriate action. If proofen guilty, which it looks like at the moment the strongest possible judgement should follow!
To all eCanadians:
Bear with the government and assist where you can!
Cheers,
Julius I
I am disappoint.
Great work Dade.
I'll bet it was his grandma.
Thanks CSIS for all YOUR hard work 🙂
Tem...you make me laugh
For us old CAFers that were around when we "lost" our months supply of money guess who was MoD at that time........
😁I'll say Ironman for what Ramizeth asked...
But I'm freakin dissapointed, I thought I could trust you bro, You lied to each and everyone of us and almost killed an entire industry with the stockpile, all this for what? Gold? You're doing this to us after everything we've given you?
I spit on you, you are a disgrace for this nation and I'll make sure no one will ever give you any position in any Allied Country.
I really hope that 1ronman can show that he is not responsible for this... but the evidence is very convincing and consistent. This is a major downer. 🙁
Haha....Dade.....
you know the whole impeachment thing was just for the lulz right?
😉
oooo.... burned 😃....
but what a shame 🙁
Alright Chucky, way to be consistent with your treatment of traitors.
@Green Hawk
Fair trial? Gimme a break.
I present to you the case of PimpDollaz, in the fact of overwhelming evidence you are guilty until proven innocent.
As for discipline, PimpDollaz is the yardstick, restitution of 8 times the value of the crime and absolute ban until its done, plus 30 days.
String him up in the town square and flog him.